Resource attributes


Access token customization

P14C Access Tokens are signed JWTs (JSON Web Tokens) that include identity claims about the requestor. It contains several core identity claims that cannot be modified or deleted. This service provides functionality to customize an access token by adding custom identity claims, modifying custom claims, or removing custom claims.

For information about access token core claims, see Access token claims.

Resource attributes API operations

The resources attributes endpoints support the following operations:

For hands-on experience with the resource attributes API endpoints, click the Run in Postman button below to download a Postman collection that you can import and open in your local Postman application.

Resource attributes data model

Property Description
name A string that specifies the name of the custom resource attribute to be included in the access token. The following names are reserved and cannot be used:
  • acr
  • amr
  • aud
  • auth_time
  • client_id
  • env
  • exp
  • iat
  • iss
  • jti
  • org
  • p1.* (any name staring with the p1. prefix)
  • scope
  • sid
  • sub
type A string that specifies the type of resource attribute. Options are:
  • CORE: The claim is required and cannot not be removed.
  • CUSTOM: The claim is not a CORE attribute. All created attributes are of this type.
value A string that specifies the value of the custom resource attribute. This value can be a placeholder that references an attribute in the user schema, expressed as “${user.path.to.value}”, or it can be a static string. Placeholders must be valid, enabled attributes in the environment’s user schema. Examples fo valid values are: “${user.email}”, “${user.name.family}”, and “myClaimValueString”.

Response codes

Code Message
200 Successful operation.
201 Successfully created.
204 Successfully removed. No content.
400 The request could not be completed.
401 You do not have access to this resource.
404 The requested resource was not found.

Endpoint examples

Get attributes for a resource

To get the list of custom attributes associated with a specified resource, the GET /environments/{environmentId}/resources/{resourceId}/attributes operation returns data for the attributes associated with the resource entity ID specified in the request URL.

curl -X GET "https://api.pingone.com/v1/environments/{environmentId}/resources/{resourceId}/attributes" \
-H "Authorization: Bearer jwtToken"

The response data looks like this:

{
  "_links": {
    "self": {
      "href": "https://api.pingone.com/v1/environments/9ad15e9e-3ac6-43f7-a053-d46b87d6c4a7/resources/faac7db8-67ce-44aa-8ae0-5ae672f5b8bf/attributes"
    }
  },
  "_embedded": {
    "attributes": [
      {
        "_links": {
          "self": {
            "href": "https://api.pingone.com/v1/environments/9ad15e9e-3ac6-43f7-a053-d46b87d6c4a7/resources/faac7db8-67ce-44aa-8ae0-5ae672f5b8bf/attributes/8370d62d-ba19-4ee7-b9c6-11928749b13c"
          },
          "resource": {
            "href": "https://api.pingone.com/v1/environments/9ad15e9e-3ac6-43f7-a053-d46b87d6c4a7/resources/faac7db8-67ce-44aa-8ae0-5ae672f5b8bf"
          },
          "environment": {
            "href": "https://api.pingone.com/v1/environments/9ad15e9e-3ac6-43f7-a053-d46b87d6c4a7"
          }
        },
        "id": "8370d62d-ba19-4ee7-b9c6-11928749b13c",
        "environment": {
          "id": "9ad15e9e-3ac6-43f7-a053-d46b87d6c4a7"
        },
        "name": "nickname",
        "value": "${user.nickname}",
        "type": "CUSTOM",
        "resource": {
          "id": "faac7db8-67ce-44aa-8ae0-5ae672f5b8bf"
        }
      },
      {
        "_links": {
          "self": {
            "href": "https://api.pingone.com/v1/environments/9ad15e9e-3ac6-43f7-a053-d46b87d6c4a7/resources/faac7db8-67ce-44aa-8ae0-5ae672f5b8bf/attributes/84c17bdd-1aa4-4902-bea7-4e05fa853286"
          },
          "resource": {
            "href": "https://api.pingone.com/v1/environments/9ad15e9e-3ac6-43f7-a053-d46b87d6c4a7/resources/faac7db8-67ce-44aa-8ae0-5ae672f5b8bf"
          },
          "environment": {
            "href": "https://api.pingone.com/v1/environments/9ad15e9e-3ac6-43f7-a053-d46b87d6c4a7"
          }
        },
        "id": "84c17bdd-1aa4-4902-bea7-4e05fa853286",
        "environment": {
          "id": "9ad15e9e-3ac6-43f7-a053-d46b87d6c4a7"
        },
        "name": "updatedName",
        "value": "updatedValue",
        "type": "CUSTOM",
        "resource": {
          "id": "faac7db8-67ce-44aa-8ae0-5ae672f5b8bf"
        }
      },
      {
        "_links": {
          "self": {
            "href": "https://api.pingone.com/v1/environments/9ad15e9e-3ac6-43f7-a053-d46b87d6c4a7/resources/faac7db8-67ce-44aa-8ae0-5ae672f5b8bf/attributes/e41aec20-6eaa-4baa-a1c1-ae4a305244b1"
          },
          "resource": {
            "href": "https://api.pingone.com/v1/environments/9ad15e9e-3ac6-43f7-a053-d46b87d6c4a7/resources/faac7db8-67ce-44aa-8ae0-5ae672f5b8bf"
          },
          "environment": {
            "href": "https://api.pingone.com/v1/environments/9ad15e9e-3ac6-43f7-a053-d46b87d6c4a7"
          }
        },
        "id": "e41aec20-6eaa-4baa-a1c1-ae4a305244b1",
        "environment": {
          "id": "9ad15e9e-3ac6-43f7-a053-d46b87d6c4a7"
        },
        "name": "email",
        "value": "${user.email}",
        "type": "CUSTOM",
        "resource": {
          "id": "faac7db8-67ce-44aa-8ae0-5ae672f5b8bf"
        }
      }
    ]
  },
  "count": 3,
  "size": 3
}

Get one resource attribute

To get data for a single custom attribute resource, the GET /environments/{environmentId}/resources/{resourceId}/attributes/{resourceAttributeId} operation returns data for the resource attribute identified by its ID in the request URL.

curl -X GET "https://api.pingone.com/v1/environments/{environmentId}/resources/{resourceId}/attributes/{resourceAttributeId}" \
-H "Authorization: Bearer jwtToken"

The response data looks like this:

{
  "_links": {
    "self": {
      "href": "https://api.pingone.com/v1/environments/9ad15e9e-3ac6-43f7-a053-d46b87d6c4a7/resources/faac7db8-67ce-44aa-8ae0-5ae672f5b8bf/attributes/84c17bdd-1aa4-4902-bea7-4e05fa853286"
    },
    "environment": {
      "href": "https://api.pingone.com/v1/environments/9ad15e9e-3ac6-43f7-a053-d46b87d6c4a7"
    },
    "resource": {
      "href": "https://api.pingone.com/v1/environments/9ad15e9e-3ac6-43f7-a053-d46b87d6c4a7/resources/faac7db8-67ce-44aa-8ae0-5ae672f5b8bf"
    }
  },
  "id": "84c17bdd-1aa4-4902-bea7-4e05fa853286",
  "environment": {
    "id": "9ad15e9e-3ac6-43f7-a053-d46b87d6c4a7"
  },
  "name": "email",
  "value": "${user.email}",
  "type": "CUSTOM",
  "resource": {
    "id": "faac7db8-67ce-44aa-8ae0-5ae672f5b8bf"
  }
}

Create resource attributes

The POST /environments/{environmentId}/resources/{resourceId}/attributes operation adds a new custom resource attribute. The request URL specifies the new attribute’s associated environment ID and resource ID.

curl -X "POST" "https://api.pingone.com/v1/environments/{environmentId}/resources/{resourceId}/attributes" \
-H 'Content-type: application/json' \
-H 'Authorization: Bearer jwtToken' \
-d $'{
  "name": "firstName",
  "value": "${user.name.given}"
}'

The request body must specify values for the attribute name and value properties. The name value must be unique within the specified environment resource and cannot use any of the reserve names.

The response data looks like this:

{
  "_links": {
    "self": {
      "href": "https://api.pingone.com/v1/environments/9ad15e9e-3ac6-43f7-a053-d46b87d6c4a7/resources/faac7db8-67ce-44aa-8ae0-5ae672f5b8bf/attributes/d13991db-145a-4f4c-802e-3f6526cb246c"
    },
    "environment": {
      "href": "https://api.pingone.com/v1/environments/9ad15e9e-3ac6-43f7-a053-d46b87d6c4a7"
    },
    "resource": {
      "href": "https://api.pingone.com/v1/environments/9ad15e9e-3ac6-43f7-a053-d46b87d6c4a7/resources/faac7db8-67ce-44aa-8ae0-5ae672f5b8bf"
    }
  },
  "id": "d13991db-145a-4f4c-802e-3f6526cb246c",
  "environment": {
    "id": "9ad15e9e-3ac6-43f7-a053-d46b87d6c4a7"
  },
  "name": "firstName",
  "value": "${user.name.given}",
  "type": "CUSTOM",
  "resource": {
    "id": "faac7db8-67ce-44aa-8ae0-5ae672f5b8bf"
  }
}

Update resource attributes

The PUT /environments/{environmentId}/resources/{resourceId}/attributes/{resourceAttributeId} operation updates the property values of the identified attribute.

curl -X "PUT" "https://api.pingone.com/v1/environments/{environmentId}/resources/{resourceId}/attributes/{resourceAttributeId}" \
-H 'Content-type: application/json' \
-H 'Authorization: Bearer jwtToken' \
-d $'{
  "name": "nickname",
  "value": "${user.nickname}"
}'

The response data looks like this:

{
  "_links": {
    "self": {
      "href": "https://api.pingone.com/v1/environments/9ad15e9e-3ac6-43f7-a053-d46b87d6c4a7/resources/faac7db8-67ce-44aa-8ae0-5ae672f5b8bf/attributes/84c17bdd-1aa4-4902-bea7-4e05fa853286"
    },
    "environment": {
      "href": "https://api.pingone.com/v1/environments/9ad15e9e-3ac6-43f7-a053-d46b87d6c4a7"
    },
    "resource": {
      "href": "https://api.pingone.com/v1/environments/9ad15e9e-3ac6-43f7-a053-d46b87d6c4a7/resources/faac7db8-67ce-44aa-8ae0-5ae672f5b8bf"
    }
  },
  "id": "84c17bdd-1aa4-4902-bea7-4e05fa853286",
  "environment": {
    "id": "9ad15e9e-3ac6-43f7-a053-d46b87d6c4a7"
  },
  "name": "nickname",
  "value": "${user.nickname}",
  "type": "CUSTOM",
  "resource": {
    "id": "faac7db8-67ce-44aa-8ae0-5ae672f5b8bf"
  }
}

Delete resource attributes

The following sample shows the DELETE /environments/{environmentId}/resources/{resourceId}/attributes/{resourceAttributeId} operation to delete the specified custom resource attribute.

curl -X DELETE "https://api.pingone.com/v1/environments/{environmentId}/resources/{resourceId}/attributes/{resourceAttributeId}" \
-H "Authorization: Bearer jwtToken"

When successful, the DELETE request returns a code 204 No Content message.